hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From whe...@apache.org
Subject svn commit: r1574284 - in /hadoop/common/branches/branch-2/hadoop-common-project: hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/ hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/ hadoop-common/ had...
Date Wed, 05 Mar 2014 01:50:29 GMT
Author: wheat9
Date: Wed Mar  5 01:50:28 2014
New Revision: 1574284

URL: http://svn.apache.org/r1574284
Log:
Merge r1574283 from trunk

Added:
    hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpCookieFlag.java
      - copied unchanged from r1574283, hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/http/TestHttpCookieFlag.java
Modified:
    hadoop/common/branches/branch-2/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
    hadoop/common/branches/branch-2/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
    hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt
    hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java

Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java?rev=1574284&r1=1574283&r2=1574284&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
(original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
Wed Mar  5 01:50:28 2014
@@ -13,6 +13,8 @@
  */
 package org.apache.hadoop.security.authentication.server;
 
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
 import org.apache.hadoop.security.authentication.client.AuthenticationException;
 import org.apache.hadoop.security.authentication.util.Signer;
@@ -32,9 +34,8 @@ import javax.servlet.http.HttpServletReq
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.security.Principal;
-import java.util.Enumeration;
-import java.util.Properties;
-import java.util.Random;
+import java.text.SimpleDateFormat;
+import java.util.*;
 
 /**
  * The {@link AuthenticationFilter} enables protecting web application resources with different
(pluggable)
@@ -69,6 +70,9 @@ import java.util.Random;
  * the prefix from it and it will pass them to the the authentication handler for initialization.
Properties that do
  * not start with the prefix will not be passed to the authentication handler initialization.
  */
+
+@InterfaceAudience.Private
+@InterfaceStability.Unstable
 public class AuthenticationFilter implements Filter {
 
   private static Logger LOG = LoggerFactory.getLogger(AuthenticationFilter.class);
@@ -331,6 +335,7 @@ public class AuthenticationFilter implem
     String unauthorizedMsg = "";
     HttpServletRequest httpRequest = (HttpServletRequest) request;
     HttpServletResponse httpResponse = (HttpServletResponse) response;
+    boolean isHttps = "https".equals(httpRequest.getScheme());
     try {
       boolean newToken = false;
       AuthenticationToken token;
@@ -378,8 +383,8 @@ public class AuthenticationFilter implem
           };
           if (newToken && !token.isExpired() && token != AuthenticationToken.ANONYMOUS)
{
             String signedToken = signer.sign(token.toString());
-            Cookie cookie = createCookie(signedToken);
-            httpResponse.addCookie(cookie);
+            createAuthCookie(httpResponse, signedToken, getCookieDomain(),
+                    getCookiePath(), token.getExpires(), isHttps);
           }
           filterChain.doFilter(httpRequest, httpResponse);
         }
@@ -392,31 +397,52 @@ public class AuthenticationFilter implem
     }
     if (unauthorizedResponse) {
       if (!httpResponse.isCommitted()) {
-        Cookie cookie = createCookie("");
-        cookie.setMaxAge(0);
-        httpResponse.addCookie(cookie);
-        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, unauthorizedMsg);
+        createAuthCookie(httpResponse, "", getCookieDomain(),
+                getCookiePath(), 0, isHttps);
+        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED,
+                unauthorizedMsg);
       }
     }
   }
 
   /**
-   * Creates the Hadoop authentiation HTTP cookie.
-   * <p/>
-   * It sets the domain and path specified in the configuration.
+   * Creates the Hadoop authentication HTTP cookie.
    *
    * @param token authentication token for the cookie.
+   * @param expires UNIX timestamp that indicates the expire date of the
+   *                cookie. It has no effect if its value < 0.
    *
-   * @return the HTTP cookie.
+   * XXX the following code duplicate some logic in Jetty / Servlet API,
+   * because of the fact that Hadoop is stuck at servlet 3.0 and jetty 6
+   * right now.
    */
-  protected Cookie createCookie(String token) {
-    Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, token);
-    if (getCookieDomain() != null) {
-      cookie.setDomain(getCookieDomain());
+  public static void createAuthCookie(HttpServletResponse resp, String token,
+                                      String domain, String path, long expires,
+                                      boolean isSecure) {
+    StringBuilder sb = new StringBuilder(AuthenticatedURL.AUTH_COOKIE).append
+            ("=").append(token);
+
+    if (path != null) {
+      sb.append("; Path=").append(path);
     }
-    if (getCookiePath() != null) {
-      cookie.setPath(getCookiePath());
+
+    if (domain != null) {
+      sb.append("; Domain=").append(domain);
     }
-    return cookie;
+
+    if (expires >= 0) {
+      Date date = new Date(expires);
+      SimpleDateFormat df = new SimpleDateFormat("EEE, " +
+              "dd-MMM-yyyy HH:mm:ss zzz");
+      df.setTimeZone(TimeZone.getTimeZone("GMT"));
+      sb.append("; Expires=").append(df.format(date));
+    }
+
+    if (isSecure) {
+      sb.append("; Secure");
+    }
+
+    sb.append("; HttpOnly");
+    resp.addHeader("Set-Cookie", sb.toString());
   }
 }

Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java?rev=1574284&r1=1574283&r2=1574284&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
(original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestAuthenticationFilter.java
Wed Mar  5 01:50:28 2014
@@ -18,6 +18,7 @@ import org.apache.hadoop.security.authen
 import org.apache.hadoop.security.authentication.util.Signer;
 import org.junit.Assert;
 import org.junit.Test;
+import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.invocation.InvocationOnMock;
 import org.mockito.stubbing.Answer;
@@ -31,9 +32,7 @@ import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import java.util.Arrays;
-import java.util.Properties;
-import java.util.Vector;
+import java.util.*;
 
 public class TestAuthenticationFilter {
 
@@ -400,103 +399,87 @@ public class TestAuthenticationFilter {
                                            boolean invalidToken,
                                            boolean expired) throws Exception {
     AuthenticationFilter filter = new AuthenticationFilter();
-    try {
-      FilterConfig config = Mockito.mock(FilterConfig.class);
-      Mockito.when(config.getInitParameter("management.operation.return")).
-        thenReturn("true");
-      Mockito.when(config.getInitParameter("expired.token")).
-        thenReturn(Boolean.toString(expired));
-      Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn(
-        DummyAuthenticationHandler.class.getName());
-      Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TOKEN_VALIDITY)).thenReturn("1000");
-      Mockito.when(config.getInitParameter(AuthenticationFilter.SIGNATURE_SECRET)).thenReturn("secret");
-      Mockito.when(config.getInitParameterNames()).thenReturn(
-        new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
-                                 AuthenticationFilter.AUTH_TOKEN_VALIDITY,
-                                 AuthenticationFilter.SIGNATURE_SECRET,
-                                 "management.operation.return",
-                                 "expired.token")).elements());
-
-      if (withDomainPath) {
-        Mockito.when(config.getInitParameter(AuthenticationFilter.COOKIE_DOMAIN)).thenReturn(".foo.com");
-        Mockito.when(config.getInitParameter(AuthenticationFilter.COOKIE_PATH)).thenReturn("/bar");
-        Mockito.when(config.getInitParameterNames()).thenReturn(
-          new Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
-                                   AuthenticationFilter.AUTH_TOKEN_VALIDITY,
-                                   AuthenticationFilter.SIGNATURE_SECRET,
-                                   AuthenticationFilter.COOKIE_DOMAIN,
-                                   AuthenticationFilter.COOKIE_PATH,
-                                   "management.operation.return")).elements());
+    FilterConfig config = Mockito.mock(FilterConfig.class);
+    Mockito.when(config.getInitParameter("management.operation.return")).
+            thenReturn("true");
+    Mockito.when(config.getInitParameter("expired.token")).
+            thenReturn(Boolean.toString(expired));
+    Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE))
+            .thenReturn(DummyAuthenticationHandler.class.getName());
+    Mockito.when(config.getInitParameter(AuthenticationFilter
+            .AUTH_TOKEN_VALIDITY)).thenReturn("1000");
+    Mockito.when(config.getInitParameter(AuthenticationFilter
+            .SIGNATURE_SECRET)).thenReturn("secret");
+    Mockito.when(config.getInitParameterNames()).thenReturn(new
+            Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
+            AuthenticationFilter.AUTH_TOKEN_VALIDITY,
+            AuthenticationFilter.SIGNATURE_SECRET, "management.operation" +
+            ".return", "expired.token")).elements());
+
+    if (withDomainPath) {
+      Mockito.when(config.getInitParameter(AuthenticationFilter
+              .COOKIE_DOMAIN)).thenReturn(".foo.com");
+      Mockito.when(config.getInitParameter(AuthenticationFilter.COOKIE_PATH))
+              .thenReturn("/bar");
+      Mockito.when(config.getInitParameterNames()).thenReturn(new
+              Vector<String>(Arrays.asList(AuthenticationFilter.AUTH_TYPE,
+              AuthenticationFilter.AUTH_TOKEN_VALIDITY,
+              AuthenticationFilter.SIGNATURE_SECRET,
+              AuthenticationFilter.COOKIE_DOMAIN, AuthenticationFilter
+              .COOKIE_PATH, "management.operation.return")).elements());
+    }
+
+    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+    Mockito.when(request.getParameter("authenticated")).thenReturn("true");
+    Mockito.when(request.getRequestURL()).thenReturn(new StringBuffer
+            ("http://foo:8080/bar"));
+    Mockito.when(request.getQueryString()).thenReturn("authenticated=true");
+
+    if (invalidToken) {
+      Mockito.when(request.getCookies()).thenReturn(new Cookie[]{new Cookie
+              (AuthenticatedURL.AUTH_COOKIE, "foo")});
+    }
+
+    HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+    FilterChain chain = Mockito.mock(FilterChain.class);
+
+    final HashMap<String, String> cookieMap = new HashMap<String, String>();
+    Mockito.doAnswer(new Answer<Object>() {
+      @Override
+      public Object answer(InvocationOnMock invocation) throws Throwable {
+        String cookieHeader = (String)invocation.getArguments()[1];
+        parseCookieMap(cookieHeader, cookieMap);
+        return null;
       }
+    }).when(response).addHeader(Mockito.eq("Set-Cookie"), Mockito.anyString());
 
+    try {
       filter.init(config);
-
-      HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
-      Mockito.when(request.getParameter("authenticated")).thenReturn("true");
-      Mockito.when(request.getRequestURL()).thenReturn(new StringBuffer("http://foo:8080/bar"));
-      Mockito.when(request.getQueryString()).thenReturn("authenticated=true");
-
-      if (invalidToken) {
-        Mockito.when(request.getCookies()).thenReturn(
-          new Cookie[] { new Cookie(AuthenticatedURL.AUTH_COOKIE, "foo")}
-        );
-      }
-
-      HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
-
-      FilterChain chain = Mockito.mock(FilterChain.class);
-
-      final boolean[] calledDoFilter = new boolean[1];
-
-      Mockito.doAnswer(
-        new Answer<Object>() {
-          @Override
-          public Object answer(InvocationOnMock invocation) throws Throwable {
-            calledDoFilter[0] = true;
-            return null;
-          }
-        }
-      ).when(chain).doFilter(Mockito.<ServletRequest>anyObject(), Mockito.<ServletResponse>anyObject());
-
-      final Cookie[] setCookie = new Cookie[1];
-      Mockito.doAnswer(
-        new Answer<Object>() {
-          @Override
-          public Object answer(InvocationOnMock invocation) throws Throwable {
-            Object[] args = invocation.getArguments();
-            setCookie[0] = (Cookie) args[0];
-            return null;
-          }
-        }
-      ).when(response).addCookie(Mockito.<Cookie>anyObject());
-
       filter.doFilter(request, response, chain);
 
       if (expired) {
         Mockito.verify(response, Mockito.never()).
           addCookie(Mockito.any(Cookie.class));
       } else {
-        Assert.assertNotNull(setCookie[0]);
-        Assert.assertEquals(AuthenticatedURL.AUTH_COOKIE, setCookie[0].getName());
-        Assert.assertTrue(setCookie[0].getValue().contains("u="));
-        Assert.assertTrue(setCookie[0].getValue().contains("p="));
-        Assert.assertTrue(setCookie[0].getValue().contains("t="));
-        Assert.assertTrue(setCookie[0].getValue().contains("e="));
-        Assert.assertTrue(setCookie[0].getValue().contains("s="));
-        Assert.assertTrue(calledDoFilter[0]);
+        String v = cookieMap.get(AuthenticatedURL.AUTH_COOKIE);
+        Assert.assertNotNull(v);
+        Assert.assertTrue(v.contains("u=") && v.contains("p=") && v.contains
+                ("t=") && v.contains("e=") && v.contains("s="));
+        Mockito.verify(chain).doFilter(Mockito.any(ServletRequest.class),
+                Mockito.any(ServletResponse.class));
 
         Signer signer = new Signer("secret".getBytes());
-        String value = signer.verifyAndExtract(setCookie[0].getValue());
+        String value = signer.verifyAndExtract(v);
         AuthenticationToken token = AuthenticationToken.parse(value);
         Assert.assertEquals(System.currentTimeMillis() + 1000 * 1000,
                      token.getExpires(), 100);
 
         if (withDomainPath) {
-          Assert.assertEquals(".foo.com", setCookie[0].getDomain());
-          Assert.assertEquals("/bar", setCookie[0].getPath());
+          Assert.assertEquals(".foo.com", cookieMap.get("Domain"));
+          Assert.assertEquals("/bar", cookieMap.get("Path"));
         } else {
-          Assert.assertNull(setCookie[0].getDomain());
-          Assert.assertNull(setCookie[0].getPath());
+          Assert.assertFalse(cookieMap.containsKey("Domain"));
+          Assert.assertFalse(cookieMap.containsKey("Path"));
         }
       }
     } finally {
@@ -504,6 +487,26 @@ public class TestAuthenticationFilter {
     }
   }
 
+  private static void parseCookieMap(String cookieHeader, HashMap<String,
+          String> cookieMap) {
+    for (String pair : cookieHeader.split(";")) {
+      String p = pair.trim();
+      int idx = p.indexOf('=');
+      final String k, v;
+      if (idx == -1) {
+        k = p;
+        v = null;
+      } else if (idx == p.length()) {
+        k = p.substring(0, idx - 1);
+        v = null;
+      } else {
+        k = p.substring(0, idx);
+        v = p.substring(idx + 1);
+      }
+      cookieMap.put(k, v);
+    }
+  }
+
   @Test
   public void testDoFilterAuthentication() throws Exception {
     _testDoFilterAuthentication(false, false, false);
@@ -601,41 +604,39 @@ public class TestAuthenticationFilter {
       Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie});
 
       HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
-
       FilterChain chain = Mockito.mock(FilterChain.class);
 
-      Mockito.doAnswer(
-        new Answer<Object>() {
-          @Override
-          public Object answer(InvocationOnMock invocation) throws Throwable {
-            Assert.fail();
-            return null;
-          }
-        }
-      ).when(chain).doFilter(Mockito.<ServletRequest>anyObject(), Mockito.<ServletResponse>anyObject());
+      verifyUnauthorized(filter, request, response, chain);
+    } finally {
+      filter.destroy();
+    }
+  }
 
-      final Cookie[] setCookie = new Cookie[1];
-      Mockito.doAnswer(
-        new Answer<Object>() {
-          @Override
-          public Object answer(InvocationOnMock invocation) throws Throwable {
-            Object[] args = invocation.getArguments();
-            setCookie[0] = (Cookie) args[0];
-            return null;
-          }
-        }
-      ).when(response).addCookie(Mockito.<Cookie>anyObject());
+  private static void verifyUnauthorized(AuthenticationFilter filter,
+                                         HttpServletRequest request,
+                                         HttpServletResponse response,
+                                         FilterChain chain) throws
+                                                            IOException,
+                                                            ServletException {
+    final HashMap<String, String> cookieMap = new HashMap<String, String>();
+    Mockito.doAnswer(new Answer<Object>() {
+      @Override
+      public Object answer(InvocationOnMock invocation) throws Throwable {
+        String cookieHeader = (String) invocation.getArguments()[1];
+        parseCookieMap(cookieHeader, cookieMap);
+        return null;
+      }
+    }).when(response).addHeader(Mockito.eq("Set-Cookie"), Mockito.anyString());
 
-      filter.doFilter(request, response, chain);
+    filter.doFilter(request, response, chain);
 
-      Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED),
Mockito.anyString());
+    Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse
+            .SC_UNAUTHORIZED), Mockito.anyString());
+    Mockito.verify(chain, Mockito.never()).doFilter(Mockito.any
+            (ServletRequest.class), Mockito.any(ServletResponse.class));
 
-      Assert.assertNotNull(setCookie[0]);
-      Assert.assertEquals(AuthenticatedURL.AUTH_COOKIE, setCookie[0].getName());
-      Assert.assertEquals("", setCookie[0].getValue());
-    } finally {
-      filter.destroy();
-    }
+    Assert.assertTrue(cookieMap.containsKey(AuthenticatedURL.AUTH_COOKIE));
+    Assert.assertEquals("", cookieMap.get(AuthenticatedURL.AUTH_COOKIE));
   }
 
   @Test
@@ -665,38 +666,9 @@ public class TestAuthenticationFilter {
       Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie});
 
       HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
-
       FilterChain chain = Mockito.mock(FilterChain.class);
 
-      Mockito.doAnswer(
-        new Answer<Object>() {
-          @Override
-          public Object answer(InvocationOnMock invocation) throws Throwable {
-            Assert.fail();
-            return null;
-          }
-        }
-      ).when(chain).doFilter(Mockito.<ServletRequest>anyObject(), Mockito.<ServletResponse>anyObject());
-
-      final Cookie[] setCookie = new Cookie[1];
-      Mockito.doAnswer(
-        new Answer<Object>() {
-          @Override
-          public Object answer(InvocationOnMock invocation) throws Throwable {
-            Object[] args = invocation.getArguments();
-            setCookie[0] = (Cookie) args[0];
-            return null;
-          }
-        }
-      ).when(response).addCookie(Mockito.<Cookie>anyObject());
-
-      filter.doFilter(request, response, chain);
-
-      Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED),
Mockito.anyString());
-
-      Assert.assertNotNull(setCookie[0]);
-      Assert.assertEquals(AuthenticatedURL.AUTH_COOKIE, setCookie[0].getName());
-      Assert.assertEquals("", setCookie[0].getValue());
+      verifyUnauthorized(filter, request, response, chain);
     } finally {
       filter.destroy();
     }

Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt?rev=1574284&r1=1574283&r2=1574284&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt (original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt Wed Mar
 5 01:50:28 2014
@@ -58,6 +58,9 @@ Release 2.4.0 - UNRELEASED
     HADOOP-8691. FsShell can print "Found xxx items" unnecessarily often.
     (Daryn Sharp via wheat9)
 
+    HADOOP-10379. Protect authentication cookies with the HttpOnly and Secure
+    flags. (wheat9)
+
   OPTIMIZATIONS
 
   BUG FIXES

Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java?rev=1574284&r1=1574283&r2=1574284&view=diff
==============================================================================
--- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
(original)
+++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
Wed Mar  5 01:50:28 2014
@@ -67,12 +67,14 @@ import org.mortbay.jetty.Handler;
 import org.mortbay.jetty.MimeTypes;
 import org.mortbay.jetty.RequestLog;
 import org.mortbay.jetty.Server;
+import org.mortbay.jetty.SessionManager;
 import org.mortbay.jetty.handler.ContextHandler;
 import org.mortbay.jetty.handler.ContextHandlerCollection;
 import org.mortbay.jetty.handler.HandlerCollection;
 import org.mortbay.jetty.handler.RequestLogHandler;
 import org.mortbay.jetty.nio.SelectChannelConnector;
 import org.mortbay.jetty.security.SslSocketConnector;
+import org.mortbay.jetty.servlet.AbstractSessionManager;
 import org.mortbay.jetty.servlet.Context;
 import org.mortbay.jetty.servlet.DefaultServlet;
 import org.mortbay.jetty.servlet.FilterHolder;
@@ -356,6 +358,13 @@ public final class HttpServer2 implement
     threadPool.setDaemon(true);
     webServer.setThreadPool(threadPool);
 
+    SessionManager sm = webAppContext.getSessionHandler().getSessionManager();
+    if (sm instanceof AbstractSessionManager) {
+      AbstractSessionManager asm = (AbstractSessionManager)sm;
+      asm.setHttpOnly(true);
+      asm.setSecureCookies(true);
+    }
+
     ContextHandlerCollection contexts = new ContextHandlerCollection();
     RequestLog requestLog = HttpRequestLog.getRequestLog(name);
 



Mime
View raw message